Enterprise customers and vendors increasingly require a DPA. We review or revise yours — Canadian privacy law focused, GDPR-aware, flat-fee pricing.
Choose Review Only for a written memo of issues identified, or Review and Edit for a fully revised DPA with tracked changes.
Whether you are signing a customer's DPA or proposing your own template, we make sure the obligations match how you actually process data — and what you can defend.
Drafts checked for Ontario jurisdiction, PIPEDA privacy compliance, Consumer Protection Act requirements, and enforceable limitation of liability.
Review Only in 2-3 business days. Review and Edit in 3-5 business days. Urgent options available.
Ready to skip the reading? Send us your draft now.
Data Processing Agreements (DPAs) — sometimes called Data Processing Addenda — have become standard in enterprise B2B contracts. Customers require them. Vendors propose them. AI tools generate them. And the substance is often poorly understood by either side.
A weak or mismatched DPA creates real risk. You may be committing to data protection obligations that your operations cannot actually deliver. You may be accepting liability for breaches that should be the customer’s responsibility. You may be agreeing to assist with data subject requests in ways your systems cannot support.
At Onley Law, we review DPAs both as standalone documents and as redlines from counterparties. Two service tiers depending on how much help you need.
What it includes: A complete legal review of your existing Data Processing Agreement. We provide a written summary of issues identified, risks flagged, and specific recommendations for changes — delivered as a clear memo you can act on.
Best for: Businesses that have an internal team who can implement edits, and want a legal second opinion before going live.
Turnaround: Typically 2-3 business days. Flat-fee pricing provided after document review.
What it includes: Everything in the Review Only option, plus a fully revised version of your Data Processing Agreement returned as a Word document with tracked changes. Every edit is visible so you know exactly what changed and why.
Best for: Businesses that want a finished, lawyer-revised document ready to use — not just a list of issues to fix themselves.
Why tracked changes? Transparency. You should see every revision a lawyer makes to your document, with full ability to accept or reject any edit.
Turnaround: Typically 3-5 business days. Flat-fee pricing provided after document review.
Choose Review Only or Review and Edit — we will quote within one business day.
Roles and Definitions: Clearly establish who is the data controller (or business) and who is the data processor (or service provider). Roles may differ between PIPEDA, GDPR, and U.S. state laws.
Scope of Processing: Categories of personal information processed, categories of data subjects, processing purposes, and processing duration.
Processor Obligations: Confidentiality, security measures, breach notification timelines, assistance with data subject requests, and audit cooperation.
Sub-Processors: Process for notifying customers about sub-processors, customer objection rights, and flow-down obligations to sub-processors.
International Data Transfers: Mechanisms for cross-border transfers — particularly relevant if EU or UK data is involved (Standard Contractual Clauses, UK Addendum).
Data Subject Requests: How the processor will assist with access, correction, deletion, and portability requests under applicable law.
Security Measures: Specific technical and organizational measures required. Generic “industry standard” language is not enough.
Breach Notification: Timeframes (often 24-72 hours), required information, and follow-up cooperation. PIPEDA, Quebec Law 25, GDPR, and U.S. state laws have different breach notification requirements.
Audit Rights: The customer’s right to audit your data processing practices. The scope and frequency must be reasonable but credible.
Return or Deletion of Data: What happens at contract termination — return, delete, or extended retention with explicit terms.
Liability and Indemnification: How privacy-related liability flows between the parties. This is often where DPAs and main agreements need to be carefully harmonized.
SaaS Vendors Selling to Enterprise: Enterprise procurement teams require DPAs. A well-drafted standard DPA accelerates deal closing and reduces redline cycles.
Cloud and Hosting Providers: Customer data flows through your infrastructure. The DPA defines what you do with it, how you protect it, and what happens if something goes wrong.
Marketing and Analytics Providers: If you process personal information on behalf of your customers, you need a DPA — and what you can deliver against the DPA matters.
AI and Machine Learning Vendors: Customer prompt data, training data restrictions, retention, and model behaviour all need clear DPA treatment.
Businesses Receiving a Customer’s DPA: The DPA your enterprise customer sent you is drafted for them, not for you. Before signing, you need someone to identify gaps between the DPA obligations and your actual operations.
DPAs operating in Canada need to account for PIPEDA’s accountability principle, Quebec Law 25’s privacy impact assessment requirements for transfers, and provincial privacy law (especially Alberta’s PIPA, BC’s PIPA, and Quebec’s Law 25). When EU or UK data is involved, Standard Contractual Clauses and UK Addendum requirements apply.
A DPA drafted from a U.S. template or generated by AI rarely addresses these Canadian-specific requirements. A legal review brings it into proper alignment.
A Privacy Policy is your public-facing disclosure to users. A Data Processing Agreement is a B2B contract between you and a counterparty (customer or vendor) that governs how personal information is processed between you. Different documents, different audiences, different legal purposes.
Whenever you are processing personal information on behalf of another business (you are a processor), or having another business process personal information on your behalf (you are a controller). For most B2B SaaS and professional services relationships, this means almost always.
No. Customer DPAs are drafted for the customer’s benefit and often impose obligations that may not match your actual operations. We can review the DPA, flag misalignments, and propose redlines.
If you have EU customers, you likely need Standard Contractual Clauses or other GDPR-recognized transfer mechanisms. UK customers may require the UK Addendum. A well-drafted DPA can address these in a single document.
Yes. DPAs work alongside MSAs, Privacy Policies, and Acceptable Use Policies. We offer the same Review Only and Review and Edit service for all of these.
Send us your draft DPA or the counterparty’s DPA using the form below. We will provide a flat-fee quote within one business day.
No retainer required. No billable-hour surprises.
Tell us about your draft below. We will reply within one business day with a flat-fee quote and instructions for sending us your document (if you have one ready). No retainer required. No billable-hour surprises.
The legal foundation of your website — governs user relationship, IP, liability
PIPEDA and Quebec Law 25 compliance for your privacy disclosures
Cookie consent banners and tracking disclosures for Canadian compliance
Enforceable conduct rules and termination rights for your platform
B2B contract governing your most important commercial relationships
At Onley Law, we’re entrepreneurs like you, specializing in Business Law to address your unique challenges and get business done.
Contact us for a free, no-obligation consultation, and let’s navigate the legal landscape together, empowering your business to thrive.
With our office located in downtown Oshawa, we work in the heart of one of Ontario’s most historic, hardworking cities – powered by builders and doers.
Operating inside the Spark Centre, we operate and work alongside entrepreneurs inside Durham’s top business accelerator.
Find us at: 2 Simcoe Street South, Suite 300, Oshawa, Ontario, L1H 8C1.
© 2026 Onley Law Professional Corporation. All rights reserved.
Fractional GC | Contracts | M&A | IP & Trademarks | Contact
